FTP users and groups

[BlazeStar]

Hi guys,

I want to share some files with the external world.

Given the list of services, I figured FTP would be the best.

However, looking at the GUI and the documentation, I'm a little puzzled.

Of course right away, I disable anonymous connexion.

Then the only other option is to allow "local users"

In my cas, I would like to only allow certain users, such as the users who are members of the FTP group.

Is there any way to do that?

Would there be a better way than FTP to share info to external users?

Is there any way to set up SFTP?


THANKS !

 

[DrKK]

SFTP is part of the ssh service. If you set up ssh, you've set up SFTP. A person can use SFTP if and only if they can sign in with ssh.

 

[BlazeStar]

Hello, even in the SSH service, I can only select a SHELL.

Therefore, there is no way to select who can have SFTP access and who can't !

Is there any service which would allow me to grant access to users of a specific group to have access to certain folders from external ?

 

[anodos]

Set up an sftp chroot. Use filezilla. You can limit who has sftp access through appropriately selecting their shell.

 

[BlazeStar]

I'm not sure what you mean by "set up a sftp chroot"

Do you mean using something like MySecureShell ?

 

[anodos]

Regarding sftp chroot read following documentation:
http://olddoc.freenas.org/index.php/SSH

If you decide to set up a jail to handle the share (which may not be a bad idea since you are talking about making it available 'externally') the following may be a good start:
http://www.bsdnow.tv/tutorials/chroot-sftp


The more important question is how you're planning to make your FreeNAS available remotely. FreeNAS is not designed to be exposed on the internet. You should use a VPN to allow remote access.

 

[BlazeStar]

Hi !

The problem I have with VPNs is that since our connexion is not extraordinary, file transfer take FOREVER with a VPN while though sFTP or FTP, transfers are much more easy to do.

I'm wondering about the fact that FreeNAS is not designed to be exposed on the internet... if that is so, then why would there even be a FTP service?

 

[anodos]

You can create a dataset, share it with a jail, configure an SFTP chroot in the jail confining users to that datset, and port-forward to the ssh port on your jail. This way you're not exposing your FreeNAS gui to the internet and you're not inadvertently opening the risk of having someone download your freenas database file (which wouldn't be a good thing).

 

[BlazeStar]

I was thinking about the alleged fact that FreeNAS should NOT be exposed to the internet.

Therefore I think I might create a small CentOS VM, mount files with NFS, and create dedicated users for SFTPing.

That would leave FreeNAS completely invisible from the outside world.

Any problem with that?

Otherwise i'll proceed with that ;)

 

[DrKK]

Let me answer some of your questions.

You asked, "why is there FTP if it's not supposed to be exposed to internet"? The answer to that is simple: I use FTP to transfer from a regular computer to the FreeNAS, and vice versa. FTP offers pretty snappy transfers, but no encryption, so it's fine for "inside", but not necessarily "on the internet".

As for exposing FreeNAS to the internet, there are various degrees of "bad" there. Let's go from "insane" to "ok", in order, if you want to expose (all or part) of your NAS:

The worst, by far, and what is *NEVER* correct, is to open the SMB-related ports to the internet, and to remote in to the file shares directly. Your FreeNAS will be mining bitcoins for Russians and Chinese before dinner, and all of your data will be stolen, with probability 99.91%, if you do this. So never open up your SMB for disk/file sharing.

Opening up FTP to the internet is "bad". FTP is always in the clear (i.e., anyone can see your username/password), and certainly, anyone would be able to easily grab your files, and you'd have whatever other risks were associated to the ftp daemon (in this case, proftpd, you could research it if you wanted). It goes to "slightly less bad" if you change from the default FTP port to something crazy.

Opening up SSH/SFTP to the internet ranges from "mediocre" to "pretty good". If you're willing to do a little research, you'll see how to set up SSH/SFTP to only allow keypair logins. With those, this method is both pretty strongly authenticating, and well encrypted. The sshd service, itself, when in the keypair mode, offers very little attack surface. If you use SSH with password authentication, you have pretty good authentication, and the same well-encryption from before, but you do offer an attack surface for various types of hacking techniques (e.g., password guessing). As always, it's almost a necessity in my opinion to change from the default port if you're going to be on the internet with it---hackers will generally only be searching on the default port, and even though they can't get in, necessarily, they can still consume your bandwidth, jack up your logs, and so on, if they think you have vulnerable system there. If you change to a high-numbered port, they are far (FAR!) less likely to just randomly notice your running service.

The VERY BEST techniques, however, involve VPN's. Anything from OpenVPN running in a jail, on a router, whatever, down to a LogMeIn Hamachi VPN on a windows box which is providing a straight proxy for you to the SSH port on the FreeNAS. These kinds of setups offer almost no surface, whatsoever, for an illegitimate user on the internet to perform any kind of shenanigans.

WHEN they are done correctly.

 

[BlazeStar]

I there,

We do have a VPN, but file transfers are too slow and annoying.

SFTP gives good result, it's reliable and very easy to set up (client-wise).

That's why I though setting up a SFTP server on a VM and mounting specific NFS share would diminish the risk.

Thank I can top it up with, as you recommended, including key pairlogins.

Thanks DrKK !

 

[DrKK]

It is my pleasure to assist you sir.